tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject Re: CVE-2012-0022 details
Date Sun, 22 Jan 2012 22:08:40 GMT
Christopher Schultz <chris@christopherschultz.net> wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>David,
>
>On 1/21/12 3:02 AM, David Jorm wrote:
>> Based on reading the advisory and Tomcat patch code, it seems to me
>> that the issue is simply slow processing when a very large number
>> of parameters is received with a request.
>
>The parameter names must have colliding hash code values in order to
>exercise this particular vulnerability. Otherwise, large numbers of
>request parameters is merely a potential memory exhaustion
>vulnerability (which is a different issue).

No, no, no. That is completely wrong. CVE-2012-0022 is solely about the number of parameters
and NOTHING TO DO WITH HASH COLLISIONS.

>> The JBoss Web patch we implemented for CVE-2011-4858 (hash DoS) 
>> limits the number of parameters that can be passed with a request
>> to 512 by default.
>
>Limiting the number of request parameters is one mitigating technique.
>Tomcat uses 10000 as the default limit which seems reasonable for most
>users and, of course, can be raised or lowered if necessary.

Limiting the number of parameters provides defence against *any* attack vector that depends
on a large number of parameters.

The limit was primarily put in place to protect against hash collisions not CVE-2012-0022
although it does go a long way to protect against this issue too.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message